I have a C++ program where I do a call to "system("sync");". This results in a bunch of messages from apparmor (see below).
After a short discussion with a Canonical developer, I was requested to open this bug report so that the command sync syscall would be allowed in a similar way as /usr/bin/env and /bin/env in the interfaces/apparmor/template.go are already allowed.
See also: https://forum.snapcraft.io/t/bin-sync-not-allowed/3988
As a workaround, I will try to do a call to the fdatasync() syscall instead but it would be nice to get the command allowed also.
Feb 05 23:49:58 localhost.localdomain audit[24764]: AVC apparmor="ALLOWED" operation="open" profile="snap.xyz-daemon//null-/bin/sync" name="/etc/ld.so.cache" pid=24764 comm="sync" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Feb 05 23:49:58 localhost.localdomain audit[24764]: AVC apparmor="ALLOWED" operation="open" profile="snap.xyz-daemon//null-/bin/sync" name="/lib/x86_64-linux-gnu/libc-2.23.so" pid=24764 comm="sync" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Feb 05 23:49:58 localhost.localdomain audit[24764]: AVC apparmor="ALLOWED" operation="file_mprotect" profile="snap.xyz-daemon//null-/bin/sync" name="/bin/sync" pid=24764 comm="sync" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Feb 05 23:49:58 localhost.localdomain audit[24764]: AVC apparmor="ALLOWED" operation="file_mprotect" profile="snap.xyz-daemon//null-/bin/sync" name="/lib/x86_64-linux-gnu/ld-2.23.so" pid=24764 comm="sync" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Feb 05 23:49:58 localhost.localdomain audit[24764]: AVC apparmor="ALLOWED" operation="open" profile="snap.xyz-daemon//null-/bin/sync" name="/usr/lib/locale/C.UTF-8/LC_IDENTIFICATION" pid=24764 comm="sync" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Feb 05 23:49:58 localhost.localdomain audit[24764]: AVC apparmor="ALLOWED" operation="open" profile="snap.xyz-daemon//null-/bin/sync" name="/usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache" pid=24764 comm="sync" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Feb 05 23:49:58 localhost.localdomain audit[24764]: AVC apparmor="ALLOWED" operation="open" profile="snap.xyz-daemon//null-/bin/sync" name="/usr/lib/locale/C.UTF-8/LC_MEASUREMENT" pid=24764 comm="sync" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Feb 05 23:49:58 localhost.localdomain audit[24764]: AVC apparmor="ALLOWED" operation="open" profile="snap.xyz-daemon//null-/bin/sync" name="/usr/lib/locale/C.UTF-8/LC_TELEPHONE" pid=24764 comm="sync" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Feb 05 23:49:58 localhost.localdomain audit[24764]: AVC apparmor="ALLOWED" operation="open" profile="snap.xyz-daemon//null-/bin/sync" name="/usr/lib/locale/C.UTF-8/LC_ADDRESS" pid=24764 comm="sync" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Feb 05 23:49:58 localhost.localdomain audit[24764]: AVC apparmor="ALLOWED" operation="open" profile="snap.xyz-daemon//null-/bin/sync" name="/usr/lib/locale/C.UTF-8/LC_NAME" pid=24764 comm="sync" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Feb 05 23:49:58 localhost.localdomain audit[24764]: AVC apparmor="ALLOWED" operation="open" profile="snap.xyz-daemon//null-/bin/sync" name="/usr/lib/locale/C.UTF-8/LC_PAPER" pid=24764 comm="sync" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Feb 05 23:49:58 localhost.localdomain audit[24764]: AVC apparmor="ALLOWED" operation="open" profile="snap.xyz-daemon//null-/bin/sync" name="/usr/lib/locale/C.UTF-8/LC_MESSAGES/" pid=24764 comm="sync" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Feb 05 23:49:58 localhost.localdomain audit[24764]: AVC apparmor="ALLOWED" operation="open" profile="snap.xyz-daemon//null-/bin/sync" name="/usr/lib/locale/C.UTF-8/LC_MESSAGES/SYS_LC_MESSAGES" pid=24764 comm="sync" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Feb 05 23:49:58 localhost.localdomain audit[24764]: AVC apparmor="ALLOWED" operation="open" profile="snap.xyz-daemon//null-/bin/sync" name="/usr/lib/locale/C.UTF-8/LC_MONETARY" pid=24764 comm="sync" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Feb 05 23:49:58 localhost.localdomain audit[24764]: AVC apparmor="ALLOWED" operation="open" profile="snap.xyz-daemon//null-/bin/sync" name="/usr/lib/locale/C.UTF-8/LC_COLLATE" pid=24764 comm="sync" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Feb 05 23:49:58 localhost.localdomain audit[24764]: AVC apparmor="ALLOWED" operation="open" profile="snap.xyz-daemon//null-/bin/sync" name="/usr/lib/locale/C.UTF-8/LC_TIME" pid=24764 comm="sync" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Feb 05 23:49:58 localhost.localdomain audit[24764]: AVC apparmor="ALLOWED" operation="open" profile="snap.xyz-daemon//null-/bin/sync" name="/usr/lib/locale/C.UTF-8/LC_NUMERIC" pid=24764 comm="sync" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Feb 05 23:49:58 localhost.localdomain audit[24764]: AVC apparmor="ALLOWED" operation="open" profile="snap.xyz-daemon//null-/bin/sync" name="/usr/lib/locale/C.UTF-8/LC_CTYPE" pid=24764 comm="sync" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
The /bin/sync or /usr/bin/sync command is allowed now. As such I'm marking this as fix released.